-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 14.1.2
-
Fix Version/s: 14.1.4
-
Component/s: REST, LDAP, oAuth2, OpenID, Shibboleth Adapter
-
Labels:None
-
Funded by:
Creating new groups in a course with /repo/courses/{courseId}/groups results in a 401 error (not authorized). This patch fixes that:
diff --git a/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java b/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java index 58623e9..4dc1509 100644 --- a/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java +++ b/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java @@ -51,6 +51,8 @@ import org.olat.core.util.vfs.QuotaManager; import org.olat.core.util.vfs.VFSContainer; import org.olat.core.util.vfs.VFSManager; +import org.olat.course.CourseFactory; +import org.olat.course.ICourse; import org.olat.group.BusinessGroup; import org.olat.group.BusinessGroupService; import org.olat.group.model.SearchBusinessGroupParams; @@ -212,7 +214,8 @@ @Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON}) @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON}) public Response putNewGroup(GroupVO group, @Context HttpServletRequest request) { - if(!RestSecurityHelper.isGroupManager(request)) { + ICourse icourse = CourseFactory.loadCourse(course.getResourceableId()); + if(!RestSecurityHelper.isGroupManager(request) && !RestSecurityHelper.isOwnerGrpManager(icourse, request)) { return Response.serverError().status(Status.UNAUTHORIZED).build(); } else if(course == null) { return Response.serverError().status(Status.NOT_FOUND).build(); diff --git a/src/main/java/org/olat/restapi/security/RestSecurityHelper.java b/src/main/java/org/olat/restapi/security/RestSecurityHelper.java index 8804b11..d67190c 100644 --- a/src/main/java/org/olat/restapi/security/RestSecurityHelper.java +++ b/src/main/java/org/olat/restapi/security/RestSecurityHelper.java @@ -79,6 +79,19 @@ } } + public static boolean isOwnerGrpManager(ICourse course, HttpServletRequest request) { + try { + Roles roles = getRoles(request); + if(roles.isAdministrator()) return true; + CourseGroupManager cgm = course.getCourseEnvironment().getCourseGroupManager(); + UserRequest ureq = getUserRequest(request); + Identity identity = ureq.getIdentity(); + return cgm.isIdentityCourseAdministrator(identity) || cgm.hasRight(identity, CourseRights.RIGHT_GROUPMANAGEMENT); + } catch (Exception e) { + return false; + } + } + public static boolean isAuthorGrpManager(ICourse course, HttpServletRequest request) { try { Roles roles = getRoles(request);
BTW: The function isAuthorGrpManager() is not used and in this context not correct because an author would get the right to create groups in any course.